On our Virtualmin server, we have one primary webmaster. However, due to a lack of linux experience he does not have root access. Organizational policy requires that we use SCP with certificates rather than FTP for file transfer.
In order to allow him to get on with his job, I attempted to put his SSH key into /etc/skel/.ssh/authorized_keys. This way he can create new domains and immediately access them to upload files. However, something about the way virtualmin creates a new domain appears to delete the contents of this file.
Running useradd as root correctly copies the skel files into the new home directory (including file contents), but creating a new domain with virtualmin creates the files with the correct permissions but it doesn't copy the contents (authorized_keys is there, but empty).
Is there something in Virtualmin that is doing this intentionally? The server is running a fully patched Centos 5.4 and Virtualmin GPL.
Here are the file permissions on the /skel files:
-bash-3.2# ls -alhr total 64K -rw-r--r-- 1 root root 658 Jan 7 2007 .zshrc drwx------ 2 root root 4.0K Aug 6 06:29 .ssh -rw-r--r-- 1 root root 124 Jan 21 2009 .bashrc -rw-r--r-- 1 root root 176 Jan 21 2009 .bash_profile -rw-r--r-- 1 root root 33 Jan 21 2009 .bash_logout drwxr-xr-x 75 root root 12K Sep 9 10:48 .. drwxr-xr-x 3 root root 4.0K Aug 6 06:29 . -bash-3.2# ls -alh /etc/skel/.ssh/ total 24K drwx------ 2 root root 4.0K Aug 6 06:29 . drwxr-xr-x 3 root root 4.0K Aug 6 06:29 .. -rw-r--r-- 1 root root 808 Aug 6 06:29 authorized_keys
Comments
Submitted by JamieCameron on Wed, 09/09/2009 - 12:13 Comment #1
That is surprising, as there is no special clearing of authorized_keys in Virtualmin.
If you create some other test file like .ssh/foo.txt with some random contents, does it get copied to new users correctly?
Submitted by jgee on Thu, 09/17/2009 - 06:53 Comment #2
Jamie, I tried this test, and all of the files in /etc/skel/.ssh have their contents removed when creating a new server with virtualmin. However, creating a user with useradd copies all of the contents correctly. Is there anything else you'd like me to try?
Josh
PS.. Sorry for the delay. Had my forum preferences set wrong.
Submitted by jgee on Thu, 09/17/2009 - 07:00 Comment #3
Couldn't figure out how to subscribe to this thread without commenting again. Please ignore
Submitted by JamieCameron on Thu, 09/17/2009 - 11:31 Comment #4
So the files from the .ssh directory were copied to the new user, but as empty files? Or they didn't get copied at all?
Submitted by jgee on Thu, 09/17/2009 - 11:59 Comment #5
They're copied, but empty.
Submitted by JamieCameron on Thu, 09/17/2009 - 12:53 Comment #6
That's really odd - I can't re-produce this.
If you create another sub-directory under /etc/skel and put some files into it, do they get copied empty to new users?
Submitted by jgee on Tue, 09/22/2009 - 06:36 Comment #7
I created some other files and folders under /etc/skel with a variety of permissions. Here's the result:
Any file that is world readable will be copied correctly (including the contents)
Any file that is not world readable will also have only it's metadata copied. Name and permissions will be correct, but contents will be missing
Any file in a folder that's not world readable and executeable: The folder will copy, and the file names will copy, but all of the files will be empty (only metadata)
Thankfully, SSH will allow .ssh and authorized_keys to be world-readable (though not writeable), so I can sort out my issue. But it's very strange that virtualmin (GPL) has this behavior but useradd doesn't.
Any ideas?
Josh
Submitted by JamieCameron on Tue, 09/22/2009 - 12:03 Comment #8
Ok, that explains it now .. the copy from /etc/skel is done with the permissions of the domain owner user, not root in order to avoid possible security issues with malicious symlinks (for example, imaging if ~/.ssh/authorized_hosts was a link to /root/.ssh/authorized_hosts). So if a file under /etc/skel isn't world-readable, it won't get copied.